The GDPR: 29 Things ALL Marketers Must Know

First: None of this is legal advice. I’m 24 years out of law school, and my eyes cross when I read any form of legislation. For the legalities, visit the GDPR site and/or hire a lawyer.

I wrote this list while ranting about the various awful blog posts I’ve read by “experts,” and marketers’ tendency to try to game their way out of everything. You can’t game your way out of GDPR. It’s not like link schemes or content spinning. It’s a real regulation with real, ulcer-generating consequences if you violate it.

Here are my random thoughts, in a somewhat-orderly list:

I’m a marketer. What is the GDPR, in non-politician speak?

It’s a pile of rules that politicians and lawyers call a “regulation.”

That means it’s not a “recommendation” or a “suggestion.” It’s more of a “follow this, or you’ll get beaten to a pulp” kind of thing.

The EU wrote the GDPR to protect their citizens’ data. It regulates how businesses can collect, use, and distribute your information

The GDPR is not another please-don’t-dump-records-off-the-back-of-a-truck-thanks law. Someone in the EU got one too many “greetings of the day” emails and decided to kick some marketer ass. It’s thorough and complicated

It’s official May 25th, 2018

Does it apply to me?

If you’re outside the European Union and EU citizens visit your site, the GDPR probably applies

An easy test: Would you be OK blocking all traffic from the EU? No? Then you had better comply with the GDPR

What’s all this “consent” talk?

In the GPDR, Personally identifiable information (PII) is anything that can be used with any other information to identify someone. If a CSI character could use it to track you down, it’s PII

You need to collect some form of consent for any PII

You need to collect explicit consent any time you collect sensitive personal data.

Explicit consent doesn’t mean someone stares at the screen and says “Yes, f–k you!” It means they opt-in to share information, allow you to use it as stated, and know what information they’re sharing. It also means dual opt-in or even an electronic signature

One tip: Make it easy for people to delete their accounts/records from your databases. A nice form where they can say “please forget about me. It’s not me, it’s you” will go a long way

Corrections

I’ve heard some awful advice. So read these and hang them on your monitor:

No matter what folks tell you, IP addresses are personally identifiable information!!! GDPR specifically states this

Facebook, Google, et al. will not protect you. They consider GDPR compliance our responsibility. Don’t rely on them. Facebook is especially sensitive right now and has every incentive to distance themselves from the way we use their data

This is an outrage!!!!

You’re right! In the good old days, we could collect user data like candy and trade it at the corner store. I could stalk consumers around the internet in ways that make Hannibal Lecter look cuddly.

GDPR infringes on my rights.

I’m furious.

Yes, compliance will cost you money. It costs me money. And time. It’s a pain in the tuchus. It will cost a lot more if you don’t comply.

Ian Lurie is CEO and founder of Portent and the EVP of Marketing Services at Clearlink. He's been a digital marketer since the days of AOL and Compuserve (25 years, if you're counting). He's recorded training for Lynda.com, writes regularly for the Portent Blog and has been published on AllThingsD, Smashing Magazine, and TechCrunch. Ian speaks at conferences around the world, including SearchLove, MozCon, Seattle Interactive Conference and ad:Tech. He has published several books about business and marketing: One Trick Ponies Get Shot, available on Kindle, The Web Marketing All-In-One Desk Reference for Dummies, and Conversation Marketing. Follow him on Twitter at portentint, and on LinkedIn at LinkedIn.com/in/ianlurie.

Comments

Hi Ian, I’m not sure about these points: 11. Non-sensitive data includes things like cookies 12. Non-sensitive data does not require explicit opt-in My understanding is that if cookies are used to personalise advertising, you most definitely do need opt-in consent. So if you drop remarketing cookies for AdWords, you have to have opt-in to use it (and Google’s https://cookiechoices.org site backs this up). Plain Analytics cookies are more debatable – people seem split on whether you need opt-in consent. Certainly the ePrivacy Directive (in draft so not yet law, but likely to be passed similar to its current form) explicitly excludes analytics cookies from requiring opt-in consent, but GDPR itself is less clear. Certainly some people seem to think you still need consent, my personal opinion is not (unless you use Google Analytics Advertising Features, inc. Demographic/Interest reports). You also need to ensure there is no PII in your Analytics data (e.g. email addresses in URL query parameters) and that you have chosen your data retention period in Analytics (with a good reason as to why you’ve chosen that length of time). And as you point out, IP addresses are PII, so whilst you may not see the actual IP of your users in Analytics, Google is gathering it, so you need to enable IP anonymization for Analytics to be compliant.

My understanding is that under the GDPR, “explicit consent” means some kind of dual-opt-in, up to and including an e-signature. So if a medical clinic asks me for health info, they need to ask me for an e-signature. Non-sensitive information, like name/email requires consent and an easy way to be “forgotten,” but not explicit consent. So a standard opt-in does the trick. It gets even murkier when you get to cookies and IP addresses. Yes, you can anonymize in Google Analytics, but what about your log file? The GDPR is very slippery on all this, probably deliberately. Which doesn’t make our lives any easier.

Hey Ian – great article, excellent writing style. Couldn’t you feign ignorance on the part of everything GDPR stands for? For example – let’s say I’m a business in the US and I target just the US but organically people from Europe come in and slip into the customer mix. So when we create re-marketing lists from Analytics and import them to Adwords, wouldn’t this be in the realm of Google as no PII can be seen? So I could in theory capture users in Europe through Analytics and re-market to them without presenting them an opt-in? Thanks, WC

I wouldn’t risk it. The potential penalties are severe. And we’re held accountable for PII stored by Google. Don’t count on ignorance as a defense. Marketers rarely, if ever, get the benefit of the doubt, and we all spend a lot of time talking about remarketing and cookies and how it all works.